[00:08.410 --> 00:17.230]  We would like to say, first of all, thanks to everybody that made it possible to be here. To the
[00:17.230 --> 00:28.050]  DEF CON staff, the Baidu, everybody. This is a dream. Thank you very much. Well, we both are a
[00:28.050 --> 00:41.570]  big bag of nerves, so we will try to do our best. Well, presentations. My partner, my colleague, he
[00:41.570 --> 00:53.650]  comes from Argentina. He's one of the members in the red team in ASEC Auditors. We work together.
[00:53.650 --> 01:08.670]  And he is a bug bounty hunter since a long time ago. Well, this is his Twitter account. And me. I am
[01:08.670 --> 01:16.410]  Gonzalo Sanchez. I come from Spain. I'm the red team leader in ASEC Auditors. And well, this is my
[01:16.410 --> 01:24.230]  LinkedIn account, in case anybody wants to contact. Yeah.
[01:25.010 --> 01:37.510]  Hello, DEF CON. Today we present how to use Google with different compression formats.
[01:37.510 --> 01:49.390]  Well, what we are going to talk. We bring to the account a vulnerability in Google Earth. Why
[01:49.390 --> 02:02.210]  Google Earth? Well, because Google is a challenge. A very huge company with fantastic products, with a
[02:02.210 --> 02:12.270]  very good reputation, with reliable levels of security in their products. Many people use Google products.
[02:12.270 --> 02:23.690]  And if you are able to have a vulnerability, find a vulnerability, and use it to spread malware, you are
[02:23.690 --> 02:35.070]  using a platform with a spreading potential. Very huge, very big. So in this case, for malware
[02:35.070 --> 02:44.470]  application, it's perfect. Nice Kilombo. This is the name of the account.
[02:45.360 --> 02:56.990]  Nice Kilombo. Kilombo is a very popular phrase in Argentina, which refers to have one or more problems.
[02:57.590 --> 03:09.970]  Confusion, problem, mess. This is Kilombo. Well, the attack vector, KML files. What is a KML file?
[03:09.970 --> 03:22.690]  It's a file with a very similar format to XML, with graphical information inside. This is the key import
[03:22.690 --> 03:34.050]  table in Google Earth. We are going to work with the description file of the KML file. We are going to
[03:34.050 --> 03:51.450]  show an example of a file. Please guys, can you connect the screen? We are going to show a file, an
[03:51.450 --> 04:02.790]  example of KML file with a location that is this hotel. Wow. Easy. It's a very similar format
[04:03.010 --> 04:14.310]  comparing to, sorry, with XML file. The key here is that we have field files with the location of the
[04:14.310 --> 04:22.110]  hotel, name, swap, and here the magic, the description file. This is the file that we are going to use
[04:22.110 --> 04:30.290]  in the next vulnerabilities. Another kind of file for attack vectors came in set. It's the same of
[04:30.290 --> 04:39.030]  KML file, but compressed with zip format. If you take the same file that we have seen, you compress it
[04:39.030 --> 04:48.810]  in zip file and you import it in Google Earth. Google Earth renders the file and shows the location.
[04:48.810 --> 05:01.750]  Easy. There is no need to waste time. There is an advantage when we talk with KML file, that is the
[05:01.750 --> 05:12.090]  obfuscation because the file is compressed and it complicates to identify the payload of the file.
[05:12.090 --> 05:18.150]  They are not suspicious files. We are familiar with executable files talking about malware, but
[05:18.750 --> 05:28.930]  probably if you see a KML file, you don't suspect about this file. This is an advantage for us. It's
[05:28.930 --> 05:34.830]  obfuscated because it's compressed and it's very common in Internet. We can find a lot of files in
[05:34.830 --> 05:52.890]  Internet. Where can we find this kind of files? Forums, for example, Pokemon Go, sites of
[05:53.590 --> 06:03.150]  bicycles routes, official sites with geographical information, airquakes, fires. This is an example
[06:03.150 --> 06:13.050]  of NASA. There's a lot of sites sharing information in this kind of formats. This is the
[06:13.050 --> 06:24.230]  victim and host with Google Earth. The victim imports a KML file and into this file comes the
[06:24.230 --> 06:32.210]  downloader. The downloader is executed and communicates with an intermediate server that is
[06:32.770 --> 06:38.990]  communicating with the real attacker, with the real payload that is downloaded by the intermediate
[06:38.990 --> 06:47.390]  server and it's delivered to the victim. And after that, the connection directly with the
[06:47.390 --> 06:58.830]  attacker. We have detected this problem with the current versions of Google Earth for Windows
[06:58.830 --> 07:12.370]  and Linux. In this presentation, we are focused on the Windows version. Summary. Location. The
[07:12.370 --> 07:19.250]  vulnerability is present into the JavaScript core of Google Earth. And we are talking about a
[07:19.250 --> 07:27.870]  null pointer and also an injection of JavaScript. We are going to see this in detail. Well, we
[07:27.870 --> 07:35.010]  bring three impacts to show. A remote cell and a Google cookie takeover using the null pointer
[07:35.010 --> 07:42.490]  vulnerability and a Monero mining using the JavaScript injection. This is a virtual machine that
[07:42.490 --> 07:54.390]  will be the attacker. And the victim is my computer. And my computer is Windows. Okay. And this is
[07:54.390 --> 08:08.470]  the virtual machine with the real attacker. Well, the victim has Google Earth and he has
[08:08.470 --> 08:21.190]  imported a site with an arbitrary name that is in this case is Google One. Well, we have to start
[08:21.190 --> 08:29.590]  the server. The server is the intermediate server. In order to make easy the presentation,
[08:29.590 --> 08:34.930]  the intermediate server and the attacker will be the same machine. This one. Okay? The
[08:34.930 --> 08:45.170]  intermediate server is the attacker. Okay. This is the intermediate server. The victim has
[08:45.170 --> 08:55.170]  imported and clicked on the site and the connection has received into the intermediate server. So,
[08:56.050 --> 09:07.270]  we have it. And we are going to show the remote cell. The impact one. Okay. First of all, basic
[09:08.030 --> 09:16.430]  execution. We will show and we will show the exploit. Um, well, Defcon has the exploit and
[09:16.430 --> 09:26.190]  probably will show when Google fix this, this problem. But, uh, this is a help to, to use it. Um,
[09:26.190 --> 09:41.390]  we are going to execute the command. Remote command. Basic operation like, uh, sample and
[09:41.390 --> 09:50.250]  it's received. And now we can access to files in the victim. The file is downloaded and we have
[09:50.250 --> 09:58.890]  it into the attacker machine. We have access to the victim's file. The file is downloaded and we
[09:58.890 --> 10:09.270]  can check it. Bingo. Okay. This is for the impact one. Remote cell and file access into the
[10:09.270 --> 10:21.870]  victim's file. Okay. Um, okay. Um, guys, please return to presentation. Impact two. We are
[10:21.870 --> 10:39.250]  going to use the victim's computer to mine Monero. Um, here we have a problem because, uh,
[10:39.250 --> 10:47.610]  we can not connect to this site with, uh, internet connection, but we can show at least the
[10:48.230 --> 10:55.590]  Kman file. Here we are not exploiting, uh, the null pointer vulnerability. Uh, here we are
[10:56.530 --> 11:05.150]  injecting JavaScript code into, um, description file. What we are doing here is connect with
[11:05.150 --> 11:14.350]  coin hive and downloading the JavaScript code for the Monero mining. Um, when you import
[11:14.350 --> 11:22.070]  this file in Google Earth, machine starts mining and resources collapse and what? You have a
[11:22.070 --> 11:29.530]  problem with your, with your computer. But as I said, uh, we can not solve this, this, this
[11:29.530 --> 11:37.210]  problem because there is a problem with the internet connection in, in, in this case. So we can
[11:38.110 --> 11:49.570]  continue with the presentation. And the last impact is the Google account hijacking. Um, what we
[11:49.570 --> 11:58.290]  are going to do is to take over the cookies of the victims. What we are doing now, because we
[11:58.290 --> 12:06.470]  have access to the files in the victim's computer, we are accessing for, um, for the cookies that
[12:06.470 --> 12:20.170]  SQLite file in the Firefox, uh, folder where the victim stores its own, um, Gmail cookies. What do
[12:20.170 --> 12:28.030]  we need in this case? This is a type of social engineering, uh, attack because we need that the
[12:28.030 --> 12:38.110]  victim has opened the Firefox browser with a open session in Gmail. With this, uh, file with the, the
[12:38.110 --> 12:45.730]  credentials inside. In this attack, the victim with the browser open, with the, uh, Gmail account
[12:45.730 --> 12:58.010]  opened, imports the KML file in Google Earth and we have access to its cookies file. Now we go to
[12:58.010 --> 13:07.710]  our browser. This is the, uh, folder of the attacker because we are going to, uh, open the Firefox
[13:07.710 --> 13:21.730]  browser in the attacker PC, opening the, the cookies of the victim. We delete any cookie in the
[13:21.730 --> 16:15.900]  attacker's browser. Import the file. Again, we have the cookies file. We are going to export
[16:16.780 --> 16:54.000]  information in CSV, CSV format. And once it's exported, we are going to import. We are using
[16:54.000 --> 18:13.710]  CSV format in order to make easy the transport between, between files. To repeat, in this case, sorry,
[18:13.710 --> 18:49.540]  we are a little bit nervous. Um, this is the server. Uh, start from the beginning. The victim clicks on
[18:49.540 --> 19:54.740]  the malicious, uh, site. Oops. Victim clicks. Something is wrong. Uh, what? Something is going wrong. Uh,
[20:03.620 --> 20:17.020]  better. If you can see this, this is a virtual machine. Windows of the victim. The victim has opened
[20:17.560 --> 20:28.020]  Firefox. Now we are starting the server. Same that we did some seconds ago. And the victim clicks on the
[20:29.260 --> 20:41.880]  malicious file. Here the connection is received. And now we execute with the get cookie option. Here we
[20:41.880 --> 20:55.860]  have exported the, the file. And here we are export in CSV format. Select all from the Mozilla cookies
[20:55.860 --> 21:09.360]  table. This is the cookies file of the Mozilla Firefox of the attacker. We are going to drop the table
[21:09.360 --> 21:16.860]  with the cookies of the attacker. And we are going to import here the victim's cookies. Drop the
[21:16.860 --> 21:31.440]  current table of Mozilla cookies and import with the file generated. And open Firefox. And we have
[21:31.440 --> 21:42.980]  the session of the victim. Please excuse that we didn't achieve this in live show, but it's so
[21:42.980 --> 21:52.380]  difficult to achieve it. So, these are the three paths that we wanted to, to show. It's a short
[21:52.680 --> 21:59.400]  description in order when they've conserved the, the, the exploit to everybody. The malicious game
[21:59.400 --> 22:09.440]  file we have seen so many times this morning. This is the server, the internet server that receives the
[22:09.440 --> 22:18.500]  communications from the victim. And this is the attacker. This is the, the Python that has mainly all
[22:18.500 --> 22:28.280]  the functionality. Everything is developed in Python. And well, this is uh, the structure of the
[22:28.280 --> 22:42.670]  exploit. And well, many thanks for everything. Incredible hard two days with a lot of problems with
[22:42.670 --> 22:53.450]  connections and what it was hard for us to, to bring, but at least we could show you this, this
[22:53.450 --> 23:02.070]  material. So thank you very much for everybody, especially for the guys that helped us in the last
[23:02.070 --> 23:12.310]  hour. Hector Paulino, uh, well, a lot of people. Raiko. And thank you everybody to be here and give
[23:12.310 --> 23:20.850]  us the opportunity to tell this and show this. I hope to, you enjoy with the material. Thanks.
